Package: devscripts Version: 2.16.6 Severity: normal File: /usr/bin/debcheckout Tags: patch
Dear maintainers, debcheckout should rewrite insecure alioth URIs to secure ones. This protects users from (e.g.) maliciously-inserted debian/rules scripts. It's especially important in unauthenticated mode. The attached patch (suitable for git-am(1)) implements this. -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- DEBCHANGE_FORCE_SAVE_ON_RELEASE=no DEBRELEASE_UPLOADER=dput DEBSIGN_KEYID=0x0F56D0553B6D411B DEB_SIGN_KEYID=0x0F56D0553B6D411B DEBSIGN_PROGRAM=gpg RMADISON_DEFAULT_URL=debian,ubuntu DSCVERIFY_KEYRINGS=~/.gnupg/pubring.kbx DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc" -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing') Architecture: i386 (i686) Kernel: Linux 4.5.0-2-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages devscripts depends on: ii dpkg-dev 1.18.10 ii libc6 2.23-4 ii perl 5.22.2-3 pn python3:any <none> Versions of packages devscripts recommends: ii apt 1.3~pre2 ii at 3.1.20-1 ii curl 7.47.0-1 ii dctrl-tools 2.24-2 ii debian-keyring 2016.07.02 ii dput 0.9.6.4 ii equivs 2.0.9+nmu1 ii fakeroot 1.21-1 ii file 1:5.28-4 ii gnupg 2.1.14-2 ii libdistro-info-perl 0.14 ii libencode-locale-perl 1.05-1 ii liblwp-protocol-https-perl 6.06-2 ii libsoap-lite-perl 1.20-1 ii liburi-perl 1.71-1 ii libwww-perl 6.15-1 ii licensecheck 3.0.13-1 ii lintian 2.5.45 ii man-db 2.7.5-1 ii patch 2.7.5-1 ii patchutils 0.3.4-1 ii python3-debian 0.1.28 ii python3-magic 1:5.28-4 ii sensible-utils 0.0.9 ii strace 4.12-3 ii unzip 6.0-20 ii wdiff 1.2.2-1+b1 ii wget 1.18-2 ii xz-utils 5.1.1alpha+20120614-2.1 Versions of packages devscripts suggests: ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-3 ii build-essential 12.2 pn cvs-buildpackage <none> pn devscripts-el <none> pn diffoscope <none> ii dose-extra 5.0-3 ii gnuplot 5.0.3+dfsg3-7 ii gpgv 2.1.14-3 ii libauthen-sasl-perl 2.1600-1 ii libfile-desktopentry-perl 0.22-1 ii libnet-smtp-ssl-perl 1.03-1 pn libterm-size-perl <none> ii libtimedate-perl 2.3000-2 pn libyaml-syck-perl <none> ii mozilla-devscripts 0.47 ii mutt 1.6.0-1 ii openssh-client [ssh-client] 1:7.2p2-8 ii svn-buildpackage 0.8.6 ii w3m 0.5.3-29 -- no debconf information -- Sean Whitton
From ccc3d7b1517f99c91c12053804513b3f6d20c910 Mon Sep 17 00:00:00 2001 From: Sean Whitton <spwhit...@spwhitton.name> Date: Thu, 11 Aug 2016 11:20:28 -0700 Subject: [PATCH] debcheckout: rewrite insecure alioth URIs --- debian/changelog | 3 +++ scripts/debcheckout.pl | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/debian/changelog b/debian/changelog index 84c5def..88b5e0d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -17,6 +17,9 @@ devscripts (2.16.7) UNRELEASED; urgency=medium [ Christoph Berg ] * origtargz: Fix unpacking of tarballs found in --path. + [ Sean Whitton ] + * debcheckout: Rewrite insecure alioth URIs to use HTTPS. + -- Paul Wise <p...@debian.org> Fri, 15 Jul 2016 22:36:19 +0800 devscripts (2.16.6) unstable; urgency=medium diff --git a/scripts/debcheckout.pl b/scripts/debcheckout.pl index e9327bd..a998096 100755 --- a/scripts/debcheckout.pl +++ b/scripts/debcheckout.pl @@ -525,6 +525,17 @@ sub munge_url($$) return $repo_url; } +# Protect against out-of-date insecure alioth URIs. +sub secure_url($) +{ + my ($repo_url) = @_; + + $repo_url =~ s@^git://(anonscm|git)\.debian\.org/@https://anonscm.debian.org/git/@; + $repo_url =~ s@^http://(anonscm|git|hg|svn|arch|bzr)\.debian\.org/@https://anonscm.debian.org/@; + + return $repo_url; +} + # Checkout a given repository in a given destination directory. sub checkout_repo($$$) { my ($repo_type, $repo_url, $destdir) = @_; @@ -1088,6 +1099,7 @@ EOF print "declared $repo_type repository at $repo_url\n"; $destdir = $pkg unless length $destdir; } + $repo_url = secure_url($repo_url); my $rc; if (@files) { $rc = checkout_files($repo_type, $repo_url, $destdir, $browse_url); -- 2.8.1
signature.asc
Description: PGP signature
_______________________________________________ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel